RDS 2012 two Gateway

Similar Messages

• RDS 2012 Multiple Gateways

  Hi all,
  In a RDS 2012 R2 setup, is it possible to have two independant gateways (not HA)? One gateway would answer to gateway.xyz.com and the other would answer to gateway.abc.com.  This setup would require two different certificates. Is this possible?
  Thanks,
  Jesmat

  Hi Jesmat,
  Yes, you should be able to use multiple independent RD Gateways with a single RDS deployment, however, there are limitations and additional configuration steps.  For example, you cannot use Server Manager or the powershell commands to assign the certificate
  to the RD Gateways since you need to have different certs on each, instead use RD Gateway Manager.  Another thing is if you plan on using RDWeb or the Feed then you need to have each RDG serve separate collections, and on each collection you need
  to set a custom rdp property using powershell so that you can have a different FQDN for the RDG on each.
  I'm sure there are other considerations that are specific to your use case that will affect how you set things up.  Please keep in mind that your intended scenario is not one of the standard ones so you will need to plan things a bit more and you may
  notice different behavior than expected.
  -TP

• RDS 2012 Two RD SH collections : duplicate applications

  Hi, I have deployed   Two RD CB servers  in HE mode   and  two RD Web servers in HE mode through NLB.
  I have deployed four  RD SH servers. Two of them are deployed on same servers as  where RD CB and  RD WEB is deployed.
  Because I have specific application that will run only on two RD SH servers,  I was forced to  split servers in two collections.
  Now because i have some common application  that are hosted on both servers,  I have to published  remote app programs in both  RS SH Collections.
  Problem is, that  when you log in to  RD WEB portal, I get duplicate icons. One to connect to one collection and one to connect to  other collections.
  Is there a way to merge  those common application, so that  users do not see twice same application.  In citrix, that was fine, because you could say application is published  in those  servers, her  in MS
  RDS ins  all around, you publish application on RDSH collection…

  Hi,
  Thank you for posting in Windows Server Forum.
  After going through your description, here I can suggest some basic steps. For not allowing same RemoteApp to appear twice from different RDSH server on RD Web we can restrict RemoteApp to specific user whether he can see\access the RemoteApp or not. 
  For this you can create group if multiple users (if single user then directly select user), after that in specific RemoteApp properties we can assign which user can see\access that app. So in this way you can maintain the RemoteApp for users so that they can’t
  see double RemoteApp. You can get more information below.
  Introducing RemoteApp User Assignment
  http://blogs.msdn.com/b/rds/archive/2009/06/12/introducing-remoteapp-user-assignment.aspx
  You can check below snap for same.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Installed the RDS 2012 Server License per user CAL (5pcs) after not allow over two users remote desktop connection problem

  I have successfully to installed the RDS 2012 Server R2 per user CAL (5pcs) Open License after is found not allow over two users to remote desktop connection on this Server problem, I try to uninstall the license and then (internet on-line & telephone
  call Microsoft Activate Center get the activate key) to reinstall is still same of the result on below problem.
  Select a user disconnect so that you can sign in.
  There are too many users signed in
  User1 Active
  User2 Active
  () Force disconnect of the user

  Hi,
  In addition you can also refer following article for RDL configuration.
  RD Licensing Configuration on Windows Server 2012
  http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RDS 2012 - Using a reverse proxy with the Gateway server on the internal LAN

  Hi there,
  I'm looking to introduce an RDS 2012 farm and would like to put the RDS Gateway server on the internal LAN (due to it's AD requirements etc).
  What are the best practise options for using a reverse proxy to forward traffic to the gateway server and is it better to do this than just forward 443 traffic from the DMZ through to the Gateway directly?
  Thanks,
  Paul.

  Hi Paul,
  It is generally considered more secure to have a reverse proxy in front of RDG.  I don't know of a proxy that will handle the RDG UDP traffic, so you will need to consider using direct server return for that or not having the benefit of UDP.  Whether
  or not it is acceptable to simply forward TCP 443/UDP 3391 directly to your internal RDG is up to your security policies.  Many companies are fine with it while many other companies think it is unacceptable and require a reverse proxy or other method
  to provide an extra layer of protection.
  -TP

• Best practice for RDGW placement in RDS 2012 R2 deployment

  Hi,
  I have been setting up a RDS 2012 R2 farm deployment and the time has come for setting up the RDGW servers. I have a farm with 4 SH servers, 2 WA servers, 2 CB servers and 1 LS.
  Farm works great for LAN and VPN users.
  Now i want to add two domain joined RDGW servers.
  The question is; I've read a lot on technet and different sites about how to set the thing up, but no one mentions any best practices for where to place them.
  Should i:
  - set up WAP in my DMZ with ADFS in LAN, then place the RDGW in the LAN and reverse proxy in
  - place RDGW in the DMZ, opening all those required ports into the LAN
  - place the RDGW in the LAN, then port forward port 443 into it from internet
  Any help is greatly appreciated.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  The deployment is totally depends on your & company requirements as many things to taken care such as Hardware, Network, Security and other related stuff. Personally to setup RD Gateway server I would not prefer you to select 1st option. But as per my research,
  for best result you can use option 2 (To place RDG server in DMZ and then allowed the required ports). Because by doing so outside network can’t directly connect to your internal server and it’s difficult to break the network by any attackers. A perimeter
  network (DMZ) is a small network that is set up separately from an organization's private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway,
  RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. You can refer
  beneath article for more information.
  RD Gateway deployment in a perimeter network & Firewall rules
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RDS 2012 - Certificates

  Hi all,
  This is my setup :
  RDS 2012 R2
  Two connection brokers setup in HA:  FQDN = RDCB.Internaldomain.com
  Two Web Access servers for internal user setup with DSN Round Robin so I can have a basic HA: FQDN = InternalWA.internaldomain.com
  Two Gateway servers in HA:  FQDN:
   RemoteGW.InternalDomain.com
  Both Gateway server have RD Web Access installed and using DNS Round Robin to have a basic HA): FQDN 
  RemoteWA.ExternalDomain.com
  My company will not approve having a trusted wildcard certificate. So, in the “Edit Deployment Wizard”, I was thinking of deploying
  one public (and trusted) SAN certificate containing all the above FQDNs to all the Role Services (RD Connection Broker –Single Signon, RD Connection Broker -
   Publishing, RD Web Access and RD Gateway).
  Will this be ok or do I need to add other FQDNs to the certificate (for example the FQDN of all the Session Host servers)?
  Best regards,
  Jesmat.

  Hello,
  In your FQDN  did you forget to add a "." as : RDCB.Internaldomain.com
  and RemoteWA.ExternalDomain.com
  are 2 different domain names
  The SAN option i thiink will not be liable here . Except if you use self signed for your internal connection  ans
  the san for the external one.
  refer to :http://en.wikipedia.org/wiki/Wildcard_certificate
  But i cannot confirm that the san certificate will be allowed on the gateways.
  Hope it helps 
  Fred

• Certificate setup RDS 2012 R2

  Hi,
  I have set up an RDS 2012 R2 deployment for internal use. I plan to add a gateway server cluster for external access later (RDGW). That cluster will be placed in DMZ and use a public wildcard cert. It will connect external users to the farm. Internal or
  Direct Access (DA) users will use the Web Access servers to connect internally in the corp. LAN.
  For now, i have the following setup. Web Access role on 2 servers with DNS RR (RDWA). 2 clustered Connection Broker servers (RDCB), two Session Hosts (RDSH) and one licesning server. So a total of 7 servers (+ 2 GRGW servers in DMZ that are not set up
  yet).
  So, the issue is; I need to set up certificates. We have a CA in an AD top domain (our site is a sub.domain.com). We do not have access to that CA and need to order certs. from our corp. HQ. Ok, but what do i ask for? I need 3
  DER encoded binary X.509
  certs. That's the info i have. How can create a cert. request? See pictures below.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for your posting in Windows Server Forum.
  Can you exactly let us know which certificate you want for your network (Self-signed or SSL)?
  As per my suggestion you can use wildcard or SAN certificate for your network which can be used for external network also. 
  If you want Self-signed certificate for internal use, you can create the certificate from Deployment properties of RDS page or IIS Manager as per below path.
  IIS Manager>Server Certificate>Create Self-Signed Certificate>Export the certificate on specified location then select the certificate in RDS installation process.
  But see that, the certificate is installed into computer’s “Personal” certificate store with its corresponding private key & it’s added under trusted root certificate authority.
  Please check below articles for detail.
  1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  2. Configuring RDS 2012 Certificates and SSO
  3. Minimum Certificate Requirements for Typical RDS implementation
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• RDS 2012 R2 - RemoteApp Disconnected

  Hi RDS 2012 R2 Experts,
  I would like some guidance here if possible
  My setup is a follow.
  1x 2012r2 with the following role, Broker, Web access, Gateway and License called RDS01
  2x 2012r2 Session Host called RSH01 an RSH02
  1x wildcard cert
  I would like to my users to be able to either internal and external to use the same link, remote.mydomain.com since my internal domain is mydomain.local
  What i have done so far.
  Created a DNS Zone called remote.mydomain.com and added the following records there.
  REMOTE, it points to web access server IP 192.168.1.31 ( same server for Gateway and Broker )
  2x RDSFarm, one record points to RSH01 and the other to RSH02, 192.168.1.32 and 33
  Gateway, the record points to 192.168.1.31 ( same servers as broker and web access)
  Broker, the record points to 192.168.1.31 ( same servers as web access and gateway)
  i have set the gateway manager the following
  Edited the deployment RD Gateway to remote.mydomain.com
  Installed the wildcert for all the roles, *.mydomain.com in all 4 roles
  created Manage Local computer groups and added both RSH01 and 02, RDSFarm record, remote record, gateway record and broker record
  linked the allowed resources with the policy and users ( also tried allow users to connect to any resources )
  configure the gateway in the RD Gateway farm
  Configured the IIS to
  auto redirect
  and the DefaultTSGAteway under Pages to remote.mydomain.com
  Also I used the Set-PublishName (http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80) to change it to broker.mydomain.com
  Now, the issue I have is, when users either internally or externally try to launch a RemoteApp they get the error.
  RemoteApp Disconnected
  This computer cant connect to the remote computer.
  Try connecting again.
  To overcome this error I did the following:
  Set-PublishName to RDSFarm.mydomain.com ( it is using the round robin to get to the session host servers)
  There is two problem with this setup.
  I no longer can shadow the users under Connections in the broker ( it seems to be bypassed )
  I get certificate mismatch due the servers names
  What I would like to achieve is to fix both problems above.
  Thanks for any advice in advance.
  N0tl3_Bouya

  Hi,
  Thank you for posting in Windows Server Forum.
  Initially check that you have applied external used FQDN of server under Server name in RD Gateway Deployment properties and used Bypass RD Gateway for local address. 
  Please try to perform the steps 
  •  Create a new DNS zone, .COM to allow split-brain DNS (so that internal clients can resolve external names internally)
  •  Create a relevant DNS entry in the aforementioned zone to point to the RDS environment’s internal IP address
  •  Create a relevant DNS entry in external DNS to point to the firewall which is publishing RDS’s external IP address
  •  Use the following script to change the FQDN of the RDP files provided by RD Web Access / RemoteApp and Desktop connection feed 
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  In addition, for shadow related issue you can use the server in administrative mode use mstsc /shadow command and check the result. 
  Detailed walkthrough on Remote Control (Shadowing), reintroduced in Windows Server 2012 R2  
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• RDS 2012 R2 Separate Session Collection Behavior

  Hi everyone!  I should start by saying that I've found a number of threads which are semi-related to this topic, but they just don't seem to address my particular complaint.  I'm not sure if this is a bug, a configuration error on my part, or if
  it is expected behavior (which would be unfortunate for my intended use cases).
  The issue is that I need to provide two separate collections of RemoteApps, and I only want the collection appropriate to the logged-in user to be displayed in Web Access (or in the feed, for that matter).  One collection includes an expansive set of
  RemoteApps, and the other collection includes a limited subset of those published in the first.
  Now, I know that a SH can only belong to one session collection.  That makes sense, and in my case, I wouldn't want it any other way.  It offers better separation between the user environment intended for use by employees, and the user environment
  intended for use by non-employees, which is a bit more restrictive.  (Those are the actual purposes of the two collections described earlier.)  So far, so good.  Now, it seems to me like every other role beside the SH role should be able to
  do its job for all collections.  What other purpose could the concept of a "Collection" possibly serve, after all?  If I had to stand-up Connection Broker, Web Access, Gateway, and Session Host for every collection of RemoteApps, then there
  wouldn't need to exist any concept in RDS 2012 R2 called "Collections".  So, I figured that Connection Broker, Web Access, and Gateway could serve all collections, and Session Host is of course limited to serving one single collection.  And,
  I guess, that's largely the way it works, with one exception.
  My issue is that in Web Access, all RemoteApps from all published RemoteApp collections are presented to every user who has access to one collection OR the other, despite my best intentions of having provisioned each collection with seprate user group assignments
  using two separate AD groups.  I don't want to advertise all RemoteApps from all collections in the Web Access namespace!  To me, the presence of "User Group" configuration at both the Collection level and at the RemoteApp level implies
  that there is some user group filtering going on, but so far that's looking like a false assumption.  Why would the RemoteApp list in one collection bleed into the RemoteApp list in the second collection?  Why would I want the users of one collection
  to see the applications of the other, even when they're not going to be able to launch them anyway?
  Does anyone have anything to add to the equation?  Is there something I'm missing?  Thanks ahead of time.

  This is now resolved.  There is obviously some additional configuration necessary in some relatively odd places when you want your RemoteApp collections to work as advertised.  I hope this thread can help others in that regard.
  The relevant (error) event generated for each "populate list of RemoteApps for Web Access" process (refreshing the web access portal was my test case), when my IIS application pool is provisioned by the new AD account is Event ID 10, Source: RDWebAccess. 
  In the body, it says "[...] unable to access rdcb1.[local]" and suggests that the RD Web Access server needs to be added to the TS Web Access Computers security group on the connection broker.  However, that was obviously already the case.
  Although not 100% correct in its suggested resolution, this error was helpful, because it shows that the break is occurring when Web Access tries to populate RemoteApps, and is shows that the break is occurring en-route to the CB server.  So, I added
  the new service account (for the Web Access application pool identity) to the Administrators group on the server with the CB role, and all is now resolved.  I now have two separate collections, the list of each appearing for the appropriate user scopes,
  but not for both user scopes like before. 
  Obviously, adding an account as an administrator fixes a lot of access related things very easily, but it is probably not the least-privileged way of doing things.  To that end, I'd like to know the least privileged way, but can certainly live with
  this much improved functionality as-is.
  Thanks for all your help, Razwer.

• Cidway with RDS 2012 R2

  Hi,
  We want to run two factor login for RDS 2012 R2 web by using cidway, is this possible?

  Hi,
  Thank you for your posting in windows Server Forum.
  You can use 2 factor authentication for RD Web with RD gateway setup on your network, so that you can work seamlessly and can enjoy the function of RD gateway pluggable authentication. For that you on client system you can install new RDP 8.1 and enjoy full
  feature. 
  What's New in Remote Desktop Services for Windows Server 2012 R2
  Customizing RD Gateway authentication and authorization schemes
  In addition, you can also refer below thread.
  RDS 2012 2 Factor Authentication
  For 3rd party authentication, you need to contact their customer support whether they support the feature to access with Windows Server feature or not.
  Hope it helps! 
  Thanks,
  Dharmesh

• 2012 TS Gateway and UDP

  I have a 2012 TS gateway for remote access for our Session Host server.
  The TS gateway is on the LAN and the Firewall forwards request from our external IP on to the TS Gateway, in the past 2008 and R2 we have just had 80 and 443 open  and it works fine, as it still does on 2012.
  I want to enable the 2012 UDP option 3391 so I asked our ISP to also open the UDP port 3391 both ways.
  Now RDS doesn't work properly, I can see in the TS Gateway monitoring that clients are connected http and usually 2 UDP connections, The Client when you click on the connection button we get connection is good or excellent and UDP is enabled.
  From the Client end the best way to explain the experience is things will work smoothly for a while then hang if you try to resize windows it takes a while to do, what is really interesting is if you set of a video in a portion of the screen this will continue
  to stream ok whilst the rest fails to redraw correctly.  Also interestingly if you move the Windows Media Player around the video moves around flawlessly but the surround stays where it was originally.
  Turn off UDP and things go back to normal, I would like UDP to work because on constrained connections the experience isn't brilliant.
  Is there anything I'm doing wrong should I ask for established related through the firewall? is there anything I can look at to see how I can improve this. 
  If I force an internal client to connect to the Gateway the UDP experience is absolutely fine. 
  Its a bit frustrating that I can only test this issue remotely.
  Any help would be appreciated, as the information on the internet is scanty
  Thanks Gordon.

  I have a 2012 TS gateway for remote access for our Session Host server.
  The TS gateway is on the LAN and the Firewall forwards request from our external IP on to the TS Gateway, in the past 2008 and R2 we have just had 80 and 443 open  and it works fine, as it still does on 2012.
  I want to enable the 2012 UDP option 3391 so I asked our ISP to also open the UDP port 3391 both ways.
  Now RDS doesn't work properly, I can see in the TS Gateway monitoring that clients are connected http and usually 2 UDP connections, The Client when you click on the connection button we get connection is good or excellent and UDP is enabled.
  From the Client end the best way to explain the experience is things will work smoothly for a while then hang if you try to resize windows it takes a while to do, what is really interesting is if you set of a video in a portion of the screen this will continue
  to stream ok whilst the rest fails to redraw correctly.  Also interestingly if you move the Windows Media Player around the video moves around flawlessly but the surround stays where it was originally.
  Turn off UDP and things go back to normal, I would like UDP to work because on constrained connections the experience isn't brilliant.
  Is there anything I'm doing wrong should I ask for established related through the firewall? is there anything I can look at to see how I can improve this. 
  If I force an internal client to connect to the Gateway the UDP experience is absolutely fine. 
  Its a bit frustrating that I can only test this issue remotely.
  Any help would be appreciated, as the information on the internet is scanty
  Thanks Gordon.
  Hi everyone
  This is funny, but just the same I experienced yesterday.
  The same issues i have now since i opened 3391 ono my firewall, to provide UDP connections.
  My 3 Server Setup:
  RDGW, RDCB, RDWEB (2012)
  RDSH1 (2012)
  RDSH2 (2012)
  I cannot exatly say when the disconnections are happening, but they are unreliable.
  When i block UDP Port on my firewall everything is normal again.
  It cannot be a network issue, i can reproduce this problem on different vSphere platforms.
  @Ryan Mangan
  Hey Ryan
  Regarding your suggestion on GP-Settings for Remote-FX, these policies are both not configured.
  As i understand, there is no need to configure them.
  Regards
  Ajdin

• RDS 2012 - Certificate Mistmatch

  I am getting the most annoying error with my RDS 2012 Setup.
  certificate mismatch and double password prompts when trying to connect to my RDS setup.
  I have tried all that's out there and have got no positive results.
  All roles are on identical on 2 servers. the RDCB is in HA Mode.
  I keep getting the Certificate mismatch error.
  Already have a public or external SAN certificate assigned to all roles.
  Ran the powershell and wmi query to ensure the correct url is used when connected to gateway but I still get the double prompt when launching the remoteapps.
  I even tried the approach by cleaning IE's history, data to get the RDPSHplugin and its not helped in my case.
  All servers run 2012.
  I need some urgent assistance, please and thank you
  I have also checked and rebooted the RDS environment multiple times.
  All certs show valid. the mismatch also goes to another cert in my environment which is utilized by OWA.
  Please help me.

  I downloaded the script to C:\ and tried running it - no luck
  PS C:\> .\Set-RDPublishedName.ps1 "remote.domain.com"
  Security warning
  Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
  computer. Do you want to run C:\Set-RDPublishedName.ps1?
  [D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
  iwmi : Privilege not held.
  At C:\Set-RDPublishedName.ps1:9 char:11
  + $return = iwmi -class "Win32_RDMSDeploymentSettings" -namespace "root\CIMV2\rdms ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
      + FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod
  I also tried it from the other HA RDCB server.
  PS C:\> .\Set-RDPublishedName.ps1 "remote.domain.com"
  Security warning
  Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm
  computer. Do you want to run C:\Set-RDPublishedName.ps1?
  [D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
  Set-RDClientAccessName : A valid fully qualified domain name (FQDN) for the server was not specified.
  At C:\Set-RDPublishedName.ps1:22 char:1
  + Set-RDClientAccessName -ConnectionBroker $ConnectionBroker -ClientAccessName $Cl ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
      + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-RDClientAccessName
  I also tried is this way- 
  PS C:\Users\administrator.TBCL\Downloads> .\Set-RDPublishedName.ps1
  Security warning
  Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
  computer. Do you want to run C:\Users\administrator.TBCL\Downloads\Set-RDPublishedName.ps1?
  [D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
  cmdlet Set-RDPublishedName.ps1 at command pipeline position 1
  Supply values for the following parameters:
  (Type !? for Help.)
  ClientAccessName: remote.domain.com
  iwmi : Invalid namespace
  At C:\Users\administrator.TBCL\Downloads\Set-RDPublishedName.ps1:9 char:11
  + $return = iwmi -class "Win32_RDMSDeploymentSettings" -namespace "root\CIMV2\rdms ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidOperation: (:) [Invoke-WmiMethod], ManagementException
      + FullyQualifiedErrorId : InvokeWMIManagementException,Microsoft.PowerShell.Commands.InvokeWmiMethod

• RDS 2012 Deployment guide

  Hi,
  I'm looking for a RDS 2012 Deployment Guide or best practices document but not finding it.  Basically I'm looking for the equivalent of the document below but for Server 2012 R2 instead of 2008 R2
  <won't let me add link to body yet>
  We are planning a new RDS implementation and want to make sure we get the environment and resources right from the beginning.  Initially I'm mainly curious about the recommendations on how many servers are needed and which roles can be combined
  on single servers and which need to be broken out onto their own boxes.  For example is it best to have the RD Gateway and the RD Web Access roles on their own individual servers or should/can they be combined on to one box in the DMZ? 
  If separate; can one of them also double as the connection broker?  That sort of thing. 
  Any help is appreciated.  Thanks

  Hi Col,
  Have a look at the following articles:
  http://ryanmangansitblog.com/2013/09/27/rds-2012-deployment-and-configuration-guides/ 
  I would recommend that you look at splitting the roles on a large environment or use a layer 7 load balancer so you can scale up the number of Gateway/RDweb servers if your connections grow.
  I would advise against configuring the connection broker on a server which has a connection to the public interface (web and remote access via gateway). I would advise against exceeding 400 connections per RD Gateway server.
  a example configuration:
  Server 1 : connection broker and Licensing role
  Server 2 : Session host
  Server 3 : RDWeb and RD Gateway.
  This may help you with regards to capacity planning:
  http://ryanmangansitblog.com/2014/06/24/capacity-planning-for-a-rds-2012-pooled-2000-seat-vdi-collection/
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• 2 Separate RDS 2012 R2 Deployments in Same Domain ?

  We have a current RDS 2012 R2 deployment. We are changing hosting vendors and want to completely redo the entire deployment (rather than try to migrated the VMs). What is the best way to go about this?
  We do want to continue to use the GPO and user files will be migrated. How can we have the prod and dev RDS environments coexisting on the same domain? 
  Just to clarify, we do not want to use any of the existing infrastructure because it is all going to go away. Thank you!

  Hi,
  Thank you for posting in Windows Server Forum.
  I thinks that good way to start for new environment without any mixing up. Yes, everything can be setup under same domain. For common domain environment,
  You can buy one single wildcard certificate with domain name which can be used for all roles. As in domain joined environment, we can use to have them both RDS server use the same RD Gateway. For this we need to enter the same FQDN of working RDG into the Deployment
  properties of the second deployment.
  There are several other points which need to check, you can refer following article for depth understanding and configuration.
  1.Step by Step Windows 2012 R2 Remote Desktop Services – Part 2
  2. How To Work with RD Gateway in Windows Server 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support